US10992643B2ActiveUtilityA1

Port authentication control for access control and information security

54
Assignee: BANK OF AMERICAPriority: Jul 26, 2017Filed: Nov 4, 2019Granted: Apr 27, 2021
Est. expiryJul 26, 2037(~11 yrs left)· nominal 20-yr term from priority
H04L 63/0876H04L 63/1433H04L 63/0236H04L 41/0853H04L 63/101
54
PatentIndex Score
0
Cited by
33
References
15
Claims

Abstract

A system includes a switch that includes a plurality of ports and a threat management server coupled to the switch. The threat management server includes a memory and a threat management engine. The memory stores a port exemption log identifying ports on the switch configured to bypass authentication, and device information for endpoint devices connected to the ports on the switch configured to bypass authentication. The threat management engine is configured to receive an exemption request requesting an authentication exemption for a first port, add the first port to the port exemption log, and send an exemption command to the switch identifying the first port. The exemption command triggers the switch to bypass authentication for the first port.

Claims

exact text as granted — not AI-modified
The invention claimed is: 
     
       1. A system comprising:
 a switch comprising a plurality of ports, wherein each port of the plurality of ports is operable to connect to an endpoint device and connect the endpoint device to a network; and 
 a threat management server operably coupled to the switch, and comprising:
 a memory configured to store:
 a port exemption log identifying:
 ports on the switch configured to bypass authentication, wherein bypassing authentication comprises allowing the endpoint devices connected to the ports configured to bypass authentication to connect to the network without authenticating the endpoint devices; and 
 device information for the endpoint devices connected to the ports on the switch configured to bypass authentication; and 
 
 
 a threat management engine implemented by a processor configured to:
 receive an exemption request requesting an authentication exemption for a first port; 
 add the first port to the port exemption log; 
 send an exemption command to the switch identifying the first port, 
 
 wherein the exemption command triggers the switch to bypass authentication for the first port;
 after sending the exemption command:
 detect a difference between a current port configuration for the first port of the switch and the port exemption log for the switch, wherein the current port configuration includes information identifying ports currently configured to bypass authentication; and 
 enable port authentication on the first port in response to detecting the difference between the current port configuration for the first port of the switch and the port exemption log for the switch, such that the endpoint device connected to the first port must be authenticated prior to connecting to the network. 
 
 
 
 
     
     
       2. The system of  claim 1 , wherein detecting the difference between the current port configuration for the first port of the switch and the port exemption log for the switch comprises:
 identifying an endpoint device based on differences between device information in the port exemption log and device information in the current port configuration; and 
 determining the endpoint device is connected to the first port. 
 
     
     
       3. The system of  claim 1 , wherein the threat management engine is configured to:
 identify an endpoint device connected to the first port; and 
 send an alert identifying the endpoint device. 
 
     
     
       4. The system of  claim 1 , wherein the threat management engine is configured to generate a virtual map of endpoint devices connected to ports of the switch based on the current port configuration. 
     
     
       5. The system of  claim 1 , wherein the threat management engine is configured to interrogate the switch for switch information comprising the current port configuration by sending a system network management protocol (SNMP) query message to the switch. 
     
     
       6. A threat management server comprising:
 a memory configured to store:
 a port exemption log identifying:
 ports on a switch configured to bypass authentication, wherein the switch comprises a plurality of ports, wherein each port of the plurality of ports is operable to connect to an endpoint device and connect the endpoint device to a network, wherein bypassing authentication comprises allowing the endpoint devices connected to the ports configured to bypass authentication to connect to the network without authenticating the endpoint devices; and 
 device information for the endpoint devices connected to the ports on the switch configured to bypass authentication; and 
 
 
 a threat management engine implemented by a processor configured to:
 receive an exemption request requesting an authentication exemption for a first port; 
 add the first port to the port exemption log; 
 send an exemption command to the switch identifying the first port, wherein the exemption command triggers the switch to bypass authentication for the first port; 
 after sending the exemption command:
 detect a difference between a current port configuration for the first port of the switch and the port exemption log for the switch, wherein the current port configuration includes information identifying ports currently configured to bypass authentication; and 
 enable port authentication on the first port in response to detecting the difference between the current port configuration for the first port of the switch and the port exemption log for the switch, such that the endpoint device connected to the first port must be authenticated prior to connecting to the network. 
 
 
 
     
     
       7. The threat management server of  claim 6 , wherein detecting the difference between the current port configuration for the first port of the switch and the port exemption log for the switch comprises:
 identifying an endpoint device based on differences between device information in the port exemption log and device information in the current port configuration; and 
 determining the endpoint device is connected to the first port. 
 
     
     
       8. The threat management server of  claim 6 , wherein the threat management engine is configured to:
 identify an endpoint device connected to the first port; and 
 send an alert identifying the endpoint device. 
 
     
     
       9. The threat management server of  claim 6 , wherein the threat management engine is configured to generate a virtual map of endpoint devices connected to ports of the switch based on the current port configuration. 
     
     
       10. The threat management server of  claim 6 , wherein the threat management engine is configured to interrogate the switch for switch information comprising the current port configuration by sending a system network management protocol (SNMP) query message to the switch. 
     
     
       11. A method, comprising:
 storing a port exemption log identifying:
 ports on a switch configured to bypass authentication, wherein the switch comprises a plurality of ports, wherein each port of the plurality of ports is operable to connect to an endpoint device and connect the endpoint device to a network, wherein bypassing authentication comprises allowing the endpoint devices connected to the ports configured to bypass authentication to connect to the network without authenticating the endpoint devices; and 
 device information for the endpoint devices connected to the ports on the switch configured to bypass authentication 
 
 receiving, by a threat management server, an exemption request requesting an authentication exemption for a first port of the switch; 
 adding, by the threat management server, the first port to the port exemption log; 
 sending, by the threat management server, an exemption command to the switch identifying the first port, wherein the exemption command triggers the switch to bypass authentication for the first port; 
 after sending the exemption command:
 detecting a difference between a current port configuration for the first port of the switch and the port exemption log for the switch, wherein the current port configuration includes information identifying ports currently configured to bypass authentication; and 
 enabling port authentication the first port in response to detecting the difference between the current port configuration for the first port of the switch and the port exemption log for the switch, such that the endpoint device connected to the first port must be authenticated prior to connecting to the network. 
 
 
     
     
       12. The method of  claim 11 , wherein detecting the difference between the current port configuration for the first port of the switch and the port exemption log for the switch comprises:
 identifying an endpoint device based on differences between device information in the port exemption log and device information in the current port configuration; and 
 determining the endpoint device is connected to the first port. 
 
     
     
       13. The method of  claim 11 , further comprising:
 identifying, by the threat management server, an endpoint device connected to the first port; and 
 sending, by the threat management server, an alert identifying the endpoint device. 
 
     
     
       14. The method of  claim 11 , further comprising generating, by the threat management server, a virtual map of endpoint devices connected to ports of the switch based on the current port configuration. 
     
     
       15. The method of  claim 11 , further comprising interrogating the switch for switch information comprising the current port configuration by sending a system network management protocol (SNMP) query message to the switch.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.